Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress a valid NameID format?

Tags:

saml

saml-2.0

In the OASIS specs I can read the following valid nameid-formats:

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
  • urn:oasis:names:tc:SAML:2.0:nameid-format:entity

but can't find urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress.

If I do a fast google search, this format appears several times, including a documentation of Cisco Spark.

Can someone clarify to me this issue? It seems that someone invented this nameid-format and now some IdP/SP using it.

like image 751
smartin Avatar asked Jul 29 '15 19:07

smartin

People also ask

What is NameID-format in SAML?

Name ID FormatDefines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

Is NameID required in SAML?

Even though interoperability profiles "require" a NameID, the SAML 2.0 standard does not require it to be present in assertions.

What is NameID-format persistent?

Persistent aliases. Use the persistent name identifier format if you want a user to log in at the identity provider as one user, but log in at the service provider as a different user. Before you can use this name identifier format, you must link the user at the identity provider with the user at the service provider.

1 Answers

@smartin -- You appear to work at OneLogin and I recently submitted a ticket about this :-). I think your hunch is right; someone saw that there is a SAML 1.1 and a SAML 2.0 and assumed that the 1.1 in urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress was a mistake.

Section 8 of the specification document mentions this at the beginning:

The following sections define URI-based identifiers for common resource access actions, subject name identifier formats, and attribute name formats. Where possible an existing URN is used to specify a protocol. In the case of IETF protocols, the URN of the most current RFC that specifies the protocol is used. URI references created specifically for SAML have one of the following stems, according to the specification set version in which they were first introduced:

urn:oasis:names:tc:SAML:1.0:
urn:oasis:names:tc:SAML:1.1:
urn:oasis:names:tc:SAML:2.0:

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

As the e-mail address identifier was introduced back in SAML v1.1, that would make sense. Check out section 7 intro and 7.3.2 here (https://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf).

So, tl;dr: urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress is in conflict with the SAML 1.1 and SAML 2.0 specs.

like image 87
Wes Avatar answered Dec 31 '22 20:12

Wes

Sign in to Comment

Related questions

Posting a SAML token to ASP.NET MVC website
Write a SSO application on GAE
SAML and back-end REST service authentication
Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was XXX
Authenticating to SharePoint Online using cURL (using ADFS 2.1 as IP-STS)
How should I use SAML login with a REST API + SPA app?
Error while installing Python-saml package in windows
WIF (Windows Identity Foundation) with SAML 2.0
Implementing claims-based security (WCF/ASP.NET)
Validate java SAML signature from C#
How can I imitate Stack Overflows SSO? Particularly where it federates with serverfault.com?
SAML 2.0 x509 Certificate and Signature value?
Windows Identity Foundation does not officially support SAML 2.0; use WIF CTP or stick with SAML 1.1?
Creating Java EE application with SAML & ADFS for Single Sign On
How to configure Custom Attributes in SP metadata
SAML 2.0 vs OpenID
How does SAML solve SSO?
ADFS STS authentication with console application
OpendID Connect and IDP Initiated SSO
Using SimpleSAML as SP and IDP for development environnement

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!